Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

How to access a property on the last element in an array,accessing last element in json array?

marcovdlinden
New Member
‎08-30-2019 03:23 AM

Hi I have json events that have an array with objects and i want to extract a property from it

Some pseudo search code

| spath output=LastResult  path=message.results{-1}
| table LastResult.timestamp

{-1} indexing does not seem to work in spath

| spath output=Results  path=message.results{}
| eval LastResult=mvindex(Results, -1)
| table LastResult.timestamp

Also does not work because LastResult has become a string version of the last array element so .timestamp does not work on that string.

my actual objects are a bit more complex and I want to get multiple properties so a regex on the string returned by mvindex is not really an option.

Is there a good way to do this?

,I got a json that with arrays in events.
I'd like to access a property of the last element in such array

| spath output=LastResult path=message.results{-1}
| table LastResult.timestamp

but {-1} does not seem to work for indexing the last element

| spath output=Results path=message.results{}
| eval LastResult= mvindex(Results, -1)
| table LastResult.timestamp

mvindex does accept -1 and it does get the last result from the array
But also does not work because LastResult becomes a string instead of an json object and thus .timestamp does not work

Is there a way to do this?

0 Karma
Reply

poete
Builder
‎08-30-2019 07:33 AM

Hello @marcovdlinden ,

check this. It should solve you problem.

| makeresults 
| eval _raw = "{\"message\":{\"results\":[1,2,3], \"otherFields\":0}"
| spath output=result message.results{}
| eval res = mvindex(result,mvcount(result)-1)
Reply

jawaharas
Motivator
‎08-30-2019 05:45 AM

Can you provide sample JSON?

0 Karma
Reply
Get Updates on the Splunk Community!

Brains, Bytes, and Boston: Learn from the Best at .conf25

When you think of Boston, you might picture colonial charm, world-class universities, or even the crack of a ...

Splunk AppDynamics Agents Webinar Series

Mark your calendars! On June 24th at 12PM PST, we’re going live with the second session of our Splunk ...

SplunkTrust Application Period is Officially OPEN!

It's that time, folks! The application/nomination period for the 2025 SplunkTrust is officially open! If you ...
Top